Writeup Offensive 100 – TrendMicro CTF 2017

Once we downloaded the file and decrypted it we found a zip file, so the first thing was to unzip it and get the ‘Forensic_Encyption’ file. It seems to be an PE file or at least this is what the ‘file’ command states as we can see on the picture below.

Nevertheless we found out that this MS-DOS executable file, was not. Digging a little bit on the structure file with ‘hexdump’ we can realize that indeed this is an zip file. How did we spot that? Well, the ‘PK’ strings preceded with some strings that seems to be filenames at the end of the file, betray the file.

Ok this is easy to fix it, we just need to open our favorite hexeditor and change ‘MZ’ to ‘PK’ at the beggining of the file, then we add ‘.zip’ extension to the file and we are good to go. Now we can extract the real content.

Giving a quick look to the files we find that we have 1 JPG image, 1 zip file with ‘key.txt’ file inside and a PCAP file.

Now let’s go on each file

file_1:

This was a simple image that contained a comment encoded with Base64. It’s trivial to retrieve the data as is shown below.

file_2:

Now we are on the zip file. We used the decoded string as password to extract key.txt successfully.

file_3:

We noted some ESP packets and now with ‘key.txt’ information we can decrypt those packets following this guide of wireshark.

Awesome!! Now we see the traffic decrypted. We quickly glimpsed some HTTP requests with a message and the string ‘TMCTF{}’ that was being used for in the CTF to note that this was the flag.

By googling ‘M4 Navy’ we realized that now we were facing with a crypto challenge of the enigma machine. I used this online service for this purpose.